- This topic has 6 replies, 6 voices, and was last updated 9 years, 11 months ago by
.
-
Posts
-
All,
Does anyone have any advice or best practices on how to combat, stop, or prevent hackers from attempting to login to the wp-admin area? I am seeing a large rise in the number of attempts to my sites as well as my client's sites.
I have done about as much as I can think of to try and prevent these kinds of problems including using security plugins (Better WP Security), ensuring there is no admin user, and setting IPs to be blocked after so many failed login attempts.
I guess I could just change login pages (wp-admin, login, etc) using the plugin noted above but that really scares me thinking of all the other stuff that could break.
What other ideas on how to prevent this junk am I missing?
Thanks so much!
I use Better WP Security with no issues and seems to work since I got emailed reports when IPs get locked out. Happens often which is scary.
Brute force attacks on WP are currently a big news item, but in many ways they are being made into a big news item by companies that are selling security solutions. Matt Mullenweg posted the same thing earlier today.
Security plugins in general will have a very bad performance impact on your site. They are attempting to do something in PHP that needs to be done BEFORE PHP is executed. The first thing you should do is check to see if you can add a plugin from within the WP dashboard. If you can, your site is inherently insecure. The web server user that runs WP should not have write access to wp-content, but it needs that access if you can install plugins via the dashboard. If your installation is configured that way, you've opened the biggest security hole you can at the starting gate.
Further, using a security plugin to block IP's doesn't really solve all problems. A swarm of bad actors can hit your site, all of which might be blocked by your PHP-based security plugin, but the swarm might be an effective DoS attack that brings your site to its knees. You need to do blocking at the server level to stop that.
You also need to make sure users don't publicly display their user name because that gives an attacker 1/2 of the information he needs at the beginning.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
Limit login attempts or Wordfence plugin which also includes this feature.
Code Poet have an excellent Security guide for download http://build.codepoet.com/2012/07/10/locking-down-wordpress/
If you or/and your client are functioning on static ip's block the wp_admin folder in htaccess to only allow those ip's access. I try and enforce all security here first (htaccess) then move onwards to plugins as mentioned before. it can be a pain if you are trying to login from a 3g ip or a "on the road" ip but i rather quickly change this via ftp than risk being exposed.
Make sure your administrator isn't called admin, administrator, root and so on.
Consider the Stealth Login Page plugin.
Don't both with IP based solutions, including Limit Logins plugin - with a botnet of 90,000 or so, it's not going to solve anything.
WordPress Engineer, and key contributor the Genesis Framework | @GaryJ
- The forum ‘General Discussion’ is closed to new topics and replies.